forked from ipfs/community
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update security section of CONTRIBUTING.md (ipfs#772)
* Update security section of CONTRIBUTING.md * Create SECURITY.md * Update open_an_issue.md Co-authored-by: Mosh <[email protected]> Co-authored-by: ElPaisano <[email protected]> Co-authored-by: Steve Loeppky <[email protected]> Co-authored-by: Cameron Wood <[email protected]>
- Loading branch information
5 people
authored
May 5, 2023
1 parent
0e066f4
commit 058ef19
Showing
3 changed files
with
23 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,7 +17,7 @@ Want to contribute to IPFS? Awesome! There are many ways to help, from reporting | |
| - [**Looking for ways to contribute?**](#looking-for-ways-to-contribute) | ||
| - [Dive Right In](#dive-right-in) | ||
| - [Reporting Issues](#reporting-issues) | ||
| - [Community Improvement](#community-improvement) | ||
| - [Community Tooling Improvement](#community-tooling-improvement) | ||
| - [Translations](#translations) | ||
| - [Helping in other ways](#helping-in-other-ways) | ||
| - [**Protocol Specification**](#protocol-specification) | ||
|
|
@@ -46,10 +46,12 @@ Want to contribute to IPFS? Awesome! There are many ways to help, from reporting | |
|
|
||
| The IPFS protocol and its implementations are still in heavy development. This means that there may be problems in our protocols, or there may be mistakes in our implementations. And -- though IPFS is not production-ready yet -- many people are already running nodes in their machines. So we take security vulnerabilities very seriously. If you discover a security issue, please bring it to our attention right away! | ||
|
|
||
| If you find a vulnerability that may affect live deployments -- for example, expose a remote execution exploit -- please send your report privately to [email protected], please DO NOT file a public issue. | ||
| If you find a vulnerability that may affect live deployments -- for example, expose a remote execution exploit -- please send your report privately to [email protected], for abuse report see below. Please DO NOT file a public issue for security reports. | ||
|
|
||
| If the issue is a protocol weakness or something not yet deployed, just discuss it openly. | ||
|
|
||
| > Note that the IPFS project is much more than an [HTTP Gateway](https://docs.ipfs.tech/concepts/ipfs-gateway/) at https://ipfs.io/ipfs. The ipfs.io gateway is a "common good" product in the IPFS ecosystem. Therefore report **HTTP gateway abuse** (e.g. using an HTTP gateway for malware hosting, distribution of questionable content, phishing purposes, etc.) to their respective HTTP gateway owners. If you've seen abusive material distributed through ipfs.io, please report it to [[email protected]](mailto:[email protected]). See our [Security Policy](SECURITY.md) for more details. | ||
| ## Community Guidelines | ||
|
|
||
| We want to keep the IPFS community awesome, growing and collaborative. We need your help to keep it that way. Please review our [code-of-conduct](code-of-conduct.md). | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Security Policy | ||
|
|
||
| ## Reporting a Vulnerability | ||
|
|
||
| The IPFS protocol and its implementations are in varying but active levels of development. This means that there may be problems in our protocols, or there may be mistakes in our implementations. We take security vulnerabilities very seriously. If you discover a security issue, please bring it to our attention right away! | ||
|
|
||
| If you find a vulnerability that may affect live deployments -- for example, expose a remote execution exploit -- please send your report privately to either: | ||
| 1. The implementation team if its an issue with a particular implementation OR | ||
| 2. [email protected] if you're not sure or if its an underlying issue with an IPFS protocol. | ||
| Please DO NOT file a public issue. | ||
|
|
||
| If the issue is a protocol weakness or something not yet deployed, just discuss it openly. | ||
|
|
||
| ## Reporting Abuse | ||
|
|
||
| While [IPFS is a stack of protocols and tools for moving content-addressed data](https://specs.ipfs.tech/architecture/principles/), there is often confusion about one particular manifestation of IPFS in [HTTP Gateways](https://docs.ipfs.tech/concepts/ipfs-gateway/) like https://ipfs.io/ipfs. We have seen a lot of reports about **abuse | ||
| from these IPFS gateways** (e.g. using an HTTP gateway for malware hosting, distributing questionable content, phishing purposes, etc.). These should be reported directly to the HTTP gateway product that provides the data. | ||
| To report abuse about the ipfs.io HTTP gateway, please send an email to [[email protected]](mailto:[email protected]). Do not open an issue here since IPFS is a community project, and is not the same as the ipfs.io HTTP gateway. |